Redis ACLs granting access to key patterns with spaces

ACL SETUSER allows granting access to key patterns with spaces. For example:

acl setuser user1 "~foo bar:*" on nopass
OK

ACL GETUSER confirms user1 has access to "foo bar:*":

127.0.0.1:6380> acl getuser user1
1) "flags"
2) 1) "on"
   2) "nopass"
3) "passwords"
4) (empty list or set)
5) "commands"
6) "-@all"
7) "keys"
8) 1) "foo bar:*"

However, the ACL LIST representation does not wrap the key pattern in quotes:

127.0.0.1:6380> acl list
1) "user default on nopass ~* +@all"
2) "user user1 on nopass ~foo bar:* -@all"

This ACL representation is invalid and ACL SAVE followed by ACL LOAD will result in an error as the server's parser thinks that "bar:*" is supposed to be a flag.

Worse, this could be abused with a clever key pattern like so:

127.0.0.1:6380> acl setuser user2 "~foo reset" on nopass
OK

Saving and loading will result in user2's access to being reset when reading the ACL.

Comment From: gkorland

@antirez it seems like something that should be fixed before 6GA

Comment From: antirez

@andymccurdy @gkorland yep indeed, good catch, thank you.

Comment From: antirez

Ok fixed, spaces are no longer allowed in usernames and key patterns. I experimented with the other option of giving full support for them, but the ACL LIST becomes not ready to be pasted back in the correct format in this case, and in general it is of little value and exposes us to security problems in the future. If needed in the future we can relax this, but in this case we need an sdscatrepr() function variant that is able to avoid quoting stuff if there are no actual escapes needed.